Story image

Southeast Asian govt firms targeted by Sowbug cyberespionage group

08 Nov 2017

Southeast Asian and South American governments are under fire from a well-resourced cyberespionage group called Sowbug.

The group has been targeting government entities across the two regions and has already infiltrated organisations in Malaysia, Brunei, Argentina, Brazil, Ecuador and Peru.

Symantec Security Response researchers have been tracking the group’s movements, which first started in March 2017. The group itself may have been active since at least early 2015.

The group conducts surveillance. It also steals documents from the infiltrated organisations by bundling them in RAR archives and then extracting the archives later on.

Its other tactics include mining remote shared drives to grab remote shares owned by the targeted organisation.

Researchers believe the group is well-resourced and able to infiltrate many targets at once. It also operates outside the normal working hours of the targeted organisations, a strategy that may help them maintain a low profile.

In 2016, the group infected an organization based in Asia through the Felismus backdoor (Backdoor.Felismus). It then collected system information as part of a reconnaissance mission. Four days later the group installed another tool. These actions allowed the Felismus to spread from the initial computer across the network.

“In this case, the attackers maintained a presence on the target’s network for nearly six months between September 2016 and March 2017,” researchers say.

Sowbug uses methods such as impersonating software packages like Windows or Adobe Reader as part of its attack methods, but has never compromised the genuine software.

Because its tools have similar filenames and installs directory trees that could be mistaken for legitimate software, attackers are able to ‘hide in plain sight’.

However, Symantec researchers are not sure how Sowbug infiltrates a target’s networks.

“In some cases, there was no trace of how Felismus made its way onto compromised computers, meaning it was likely deployed from other compromised computers on the network,” they state.

Inother cases, a tool called Starloader (Trojan.Starloader) installs and decrypts data from a file called Stars.jpg.

It also used other tools including credential dumpers and keyloggers as part of its attack process.

“It is still unknown how Starloader is installed on the compromised computer. One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools,” researchers state.

Symantec warns that cyberespionage attacks are often seen in Asia. The number of cyberespionage campaigns are increasing: Sowbug’s existence demonstrates that no region is immune to threats.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.